auth
auth/profile.go
Stop soft-deleting Profiles and actually delete them. The information we're storing in Profiles isn't unique enough that we should go through the hassle we're going through to soft-delete it. Add a deleteProfile method to our profileStore, and implement it for our postgres and memstore implementations. Add a DeleteProfile wrapper for our Context. Remove the Deleted property from the Profile type and the ProfileChange type, and update references to it. Stop cleaning up after our Profile in the UpdateProfileHandler, because there's no longer any way to delete the Profile from the UpdateProfileHandler. Update our get/list* methods so they don't filter on the non-existent Deleted property anymore. Update our SQL schema definition to not include the deleted column. Update our profile tests to use the DeleteProfile method and stop comparing the no-longer-existing Deleted property.
1 package auth
3 import (
4 "encoding/json"
5 "errors"
6 "log"
7 "net/http"
8 "regexp"
9 "strings"
10 "time"
12 "code.secondbit.org/uuid.hg"
13 "github.com/gorilla/mux"
14 )
16 const (
17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.
18 MinPassphraseLength = 6
19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.
20 MaxPassphraseLength = 64
21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme
22 CurPassphraseScheme = 1
23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.
24 MaxNameLength = 64
25 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.
26 MaxEmailLength = 64
27 )
29 var (
30 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.
31 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")
32 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with
33 // the same ID already exists in the profileStore.
34 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")
35 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.
36 ErrProfileNotFound = errors.New("profile not found in profileStore")
37 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same
38 // Type and Value already exists in the profileStore.
39 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")
40 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.
41 ErrLoginNotFound = errors.New("login not found in profileStore")
43 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a
44 // Passphrase, and requires one.
45 ErrMissingPassphrase = errors.New("missing passphrase")
46 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain
47 // a PassphraseReset, and requires one.
48 ErrMissingPassphraseReset = errors.New("missing passphrase reset")
49 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not
50 // contain a PassphraseResetCreated, and requires one.
51 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")
52 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,
53 // but the Passphrase is shorter than MinPassphraseLength.
54 ErrPassphraseTooShort = errors.New("passphrase too short")
55 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,
56 // but the Passphrase is longer than MaxPassphraseLength.
57 ErrPassphraseTooLong = errors.New("passphrase too long")
59 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected
60 // of being compromised.
61 ErrProfileCompromised = errors.New("profile compromised")
62 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain
63 // duration, to prevent brute force attacks.
64 ErrProfileLocked = errors.New("profile locked")
65 )
67 // Profile represents a single user of the service,
68 // including their authentication information.
69 type Profile struct {
70 ID uuid.ID `json:"id,omitempty"`
71 Name string `json:"name,omitempty"`
72 Passphrase string `json:"-"`
73 Iterations int `json:"-"`
74 Salt string `json:"-"`
75 PassphraseScheme int `json:"-"`
76 Compromised bool `json:"-"`
77 LockedUntil time.Time `json:"-"`
78 PassphraseReset string `json:"-"`
79 PassphraseResetCreated time.Time `json:"-"`
80 Created time.Time `json:"created,omitempty"`
81 LastSeen time.Time `json:"last_seen,omitempty"`
82 }
84 // ApplyChange applies the properties of the passed ProfileChange
85 // to the Profile it is called on.
86 func (p *Profile) ApplyChange(change ProfileChange) {
87 if change.Name != nil {
88 p.Name = *change.Name
89 }
90 if change.Passphrase != nil {
91 p.Passphrase = *change.Passphrase
92 }
93 if change.Iterations != nil {
94 p.Iterations = *change.Iterations
95 }
96 if change.Salt != nil {
97 p.Salt = *change.Salt
98 }
99 if change.PassphraseScheme != nil {
100 p.PassphraseScheme = *change.PassphraseScheme
101 }
102 if change.Compromised != nil {
103 p.Compromised = *change.Compromised
104 }
105 if change.LockedUntil != nil {
106 p.LockedUntil = *change.LockedUntil
107 }
108 if change.PassphraseReset != nil {
109 p.PassphraseReset = *change.PassphraseReset
110 }
111 if change.PassphraseResetCreated != nil {
112 p.PassphraseResetCreated = *change.PassphraseResetCreated
113 }
114 if change.LastSeen != nil {
115 p.LastSeen = *change.LastSeen
116 }
117 }
119 // ApplyBulkChange applies the properties of the passed BulkProfileChange
120 // to the Profile it is called on.
121 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {
122 if change.Compromised != nil {
123 p.Compromised = *change.Compromised
124 }
125 }
127 // ProfileChange represents a single atomic change to a Profile's mutable data.
128 type ProfileChange struct {
129 Name *string
130 Passphrase *string
131 Iterations *int
132 Salt *string
133 PassphraseScheme *int
134 Compromised *bool
135 LockedUntil *time.Time
136 PassphraseReset *string
137 PassphraseResetCreated *time.Time
138 LastSeen *time.Time
139 }
141 func (c ProfileChange) Empty() bool {
142 return (c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil)
143 }
145 // Validate checks the ProfileChange it is called on
146 // and asserts its internal validity, or lack thereof.
147 // A descriptive error will be returned in the case of
148 // an invalid change.
149 func (c ProfileChange) Validate() error {
150 if c.Empty() {
151 return ErrEmptyChange
152 }
153 if c.PassphraseScheme != nil && c.Passphrase == nil {
154 return ErrMissingPassphrase
155 }
156 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {
157 return ErrMissingPassphraseResetCreated
158 }
159 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {
160 return ErrMissingPassphraseReset
161 }
162 if c.Salt != nil && c.Passphrase == nil {
163 return ErrMissingPassphrase
164 }
165 if c.Iterations != nil && c.Passphrase == nil {
166 return ErrMissingPassphrase
167 }
168 return nil
169 }
171 // BulkProfileChange represents a single atomic change to many Profiles' mutable data.
172 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the
173 // ProfileChange values across many Profiles all at once.
174 type BulkProfileChange struct {
175 Compromised *bool
176 }
178 func (b BulkProfileChange) Empty() bool {
179 return b.Compromised == nil
180 }
182 // Validate checks the BulkProfileChange it is called on
183 // and asserts its internal validity, or lack thereof.
184 // A descriptive error will be returned in the case of an
185 // invalid change.
186 func (b BulkProfileChange) Validate() error {
187 if b.Empty() {
188 return ErrEmptyChange
189 }
190 return nil
191 }
193 // Login represents a single human-friendly identifier for
194 // a given Profile that can be used to log into that Profile.
195 // Each Profile may only have one Login for each Type.
196 type Login struct {
197 Type string `json:"type,omitempty"`
198 Value string `json:"value,omitempty"`
199 ProfileID uuid.ID `json:"profile_id,omitempty"`
200 Created time.Time `json:"created,omitempty"`
201 LastUsed time.Time `json:"last_used,omitempty"`
202 }
204 type newProfileRequest struct {
205 Email string `json:"email"`
206 Passphrase string `json:"passphrase"`
207 Name string `json:"name"`
208 }
210 func validateNewProfileRequest(req *newProfileRequest) []requestError {
211 errors := []requestError{}
212 req.Name = strings.TrimSpace(req.Name)
213 req.Email = strings.TrimSpace(req.Email)
214 if len(req.Passphrase) < MinPassphraseLength {
215 errors = append(errors, requestError{
216 Slug: requestErrInsufficient,
217 Field: "/passphrase",
218 })
219 }
220 if len(req.Passphrase) > MaxPassphraseLength {
221 errors = append(errors, requestError{
222 Slug: requestErrOverflow,
223 Field: "/passphrase",
224 })
225 }
226 if len(req.Name) > MaxNameLength {
227 errors = append(errors, requestError{
228 Slug: requestErrOverflow,
229 Field: "/name",
230 })
231 }
232 if req.Email == "" {
233 errors = append(errors, requestError{
234 Slug: requestErrMissing,
235 Field: "/email",
236 })
237 }
238 if len(req.Email) > MaxEmailLength {
239 errors = append(errors, requestError{
240 Slug: requestErrOverflow,
241 Field: "/email",
242 })
243 }
244 re := regexp.MustCompile(".+@.+\\..+")
245 if !re.Match([]byte(req.Email)) {
246 errors = append(errors, requestError{
247 Slug: requestErrInvalidFormat,
248 Field: "/email",
249 })
250 }
251 return errors
252 }
254 type profileStore interface {
255 getProfileByID(id uuid.ID) (Profile, error)
256 getProfileByLogin(value string) (Profile, error)
257 saveProfile(profile Profile) error
258 updateProfile(id uuid.ID, change ProfileChange) error
259 updateProfiles(ids []uuid.ID, change BulkProfileChange) error
260 deleteProfile(id uuid.ID) error
262 addLogin(login Login) error
263 removeLogin(value string, profile uuid.ID) error
264 removeLoginsByProfile(profile uuid.ID) error
265 recordLoginUse(value string, when time.Time) error
266 listLogins(profile uuid.ID, num, offset int) ([]Login, error)
267 }
269 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) {
270 m.profileLock.RLock()
271 defer m.profileLock.RUnlock()
272 p, ok := m.profiles[id.String()]
273 if !ok {
274 return Profile{}, ErrProfileNotFound
275 }
276 return p, nil
277 }
279 func (m *memstore) getProfileByLogin(value string) (Profile, error) {
280 m.loginLock.RLock()
281 defer m.loginLock.RUnlock()
282 login, ok := m.logins[value]
283 if !ok {
284 return Profile{}, ErrLoginNotFound
285 }
286 m.profileLock.RLock()
287 defer m.profileLock.RUnlock()
288 profile, ok := m.profiles[login.ProfileID.String()]
289 if !ok {
290 return Profile{}, ErrProfileNotFound
291 }
292 return profile, nil
293 }
295 func (m *memstore) saveProfile(profile Profile) error {
296 m.profileLock.Lock()
297 defer m.profileLock.Unlock()
298 _, ok := m.profiles[profile.ID.String()]
299 if ok {
300 return ErrProfileAlreadyExists
301 }
302 m.profiles[profile.ID.String()] = profile
303 return nil
304 }
306 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error {
307 m.profileLock.Lock()
308 defer m.profileLock.Unlock()
309 p, ok := m.profiles[id.String()]
310 if !ok {
311 return ErrProfileNotFound
312 }
313 p.ApplyChange(change)
314 m.profiles[id.String()] = p
315 return nil
316 }
318 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error {
319 m.profileLock.Lock()
320 defer m.profileLock.Unlock()
321 for id, profile := range m.profiles {
322 for _, i := range ids {
323 if id == i.String() {
324 profile.ApplyBulkChange(change)
325 m.profiles[id] = profile
326 break
327 }
328 }
329 }
330 return nil
331 }
333 func (m *memstore) deleteProfile(id uuid.ID) error {
334 m.profileLock.Lock()
335 defer m.profileLock.Unlock()
336 if _, ok := m.profiles[id.String()]; !ok {
337 return ErrProfileNotFound
338 }
339 delete(m.profiles, id.String())
340 return nil
341 }
343 func (m *memstore) addLogin(login Login) error {
344 m.loginLock.Lock()
345 defer m.loginLock.Unlock()
346 _, ok := m.logins[login.Value]
347 if ok {
348 return ErrLoginAlreadyExists
349 }
350 m.logins[login.Value] = login
351 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value)
352 return nil
353 }
355 func (m *memstore) removeLogin(value string, profile uuid.ID) error {
356 m.loginLock.Lock()
357 defer m.loginLock.Unlock()
358 l, ok := m.logins[value]
359 if !ok {
360 return ErrLoginNotFound
361 }
362 if !l.ProfileID.Equal(profile) {
363 return ErrLoginNotFound
364 }
365 delete(m.logins, value)
366 pos := -1
367 for p, id := range m.profileLoginLookup[profile.String()] {
368 if id == value {
369 pos = p
370 break
371 }
372 }
373 if pos >= 0 {
374 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...)
375 }
376 return nil
377 }
379 func (m *memstore) removeLoginsByProfile(profile uuid.ID) error {
380 m.loginLock.Lock()
381 defer m.loginLock.Unlock()
382 logins, ok := m.profileLoginLookup[profile.String()]
383 if !ok {
384 return ErrProfileNotFound
385 }
386 delete(m.profileLoginLookup, profile.String())
387 for _, login := range logins {
388 delete(m.logins, login)
389 }
390 return nil
391 }
393 func (m *memstore) recordLoginUse(value string, when time.Time) error {
394 m.loginLock.Lock()
395 defer m.loginLock.Unlock()
396 l, ok := m.logins[value]
397 if !ok {
398 return ErrLoginNotFound
399 }
400 l.LastUsed = when
401 m.logins[value] = l
402 return nil
403 }
405 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) {
406 m.loginLock.RLock()
407 defer m.loginLock.RUnlock()
408 ids, ok := m.profileLoginLookup[profile.String()]
409 if !ok {
410 return []Login{}, nil
411 }
412 if len(ids) > num+offset {
413 ids = ids[offset : num+offset]
414 } else if len(ids) > offset {
415 ids = ids[offset:]
416 } else {
417 return []Login{}, nil
418 }
419 logins := []Login{}
420 for _, id := range ids {
421 login, ok := m.logins[id]
422 if !ok {
423 continue
424 }
425 logins = append(logins, login)
426 }
427 return logins, nil
428 }
430 func cleanUpAfterProfileDeletion(profile uuid.ID, context Context) {
431 err := context.RemoveLoginsByProfile(profile)
432 if err != nil {
433 log.Printf("Error removing logins from profile %s: %+v\n", profile, err)
434 }
435 // BUG(paddy): need to terminate all sessions associated with the Profile
436 // BUG(paddy): need to invalidate all tokens associated with the Profile
437 // BUG(paddy): need to delete all the grants associated with the Profile
438 }
440 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval.
441 func RegisterProfileHandlers(r *mux.Router, context Context) {
442 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST")
443 // BUG(paddy): We need to implement a handler that will return information about a profile or set of profiles.
444 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH")
445 r.Handle("/profiles/{id}", wrap(context, DeleteProfileHandler)).Methods("DELETE")
446 // BUG(paddy): We need to implement a handler that will add a login to a profile.
447 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login?
448 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile.
449 }
451 // CreateProfileHandler is an HTTP handler for registering new profiles.
452 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
453 scheme, ok := passphraseSchemes[CurPassphraseScheme]
454 if !ok {
455 log.Printf("Error selecting passphrase scheme #%d\n", CurPassphraseScheme)
456 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
457 return
458 }
459 var req newProfileRequest
460 errors := []requestError{}
461 decoder := json.NewDecoder(r.Body)
462 err := decoder.Decode(&req)
463 if err != nil {
464 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
465 return
466 }
467 errors = append(errors, validateNewProfileRequest(&req)...)
468 if len(errors) > 0 {
469 encode(w, r, http.StatusBadRequest, response{Errors: errors})
470 return
471 }
472 passphrase, salt, err := scheme.create(req.Passphrase, context.config.iterations)
473 if err != nil {
474 log.Printf("Error creating encoded passphrase: %#+v\n", err)
475 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
476 return
477 }
478 profile := Profile{
479 ID: uuid.NewID(),
480 Name: req.Name,
481 Passphrase: string(passphrase),
482 Iterations: context.config.iterations,
483 Salt: string(salt),
484 PassphraseScheme: CurPassphraseScheme,
485 Created: time.Now(),
486 LastSeen: time.Now(),
487 }
488 err = context.SaveProfile(profile)
489 if err != nil {
490 if err == ErrProfileAlreadyExists {
491 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/id"}}})
492 return
493 }
494 log.Printf("Error saving profile: %#+v\n", err)
495 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
496 return
497 }
498 logins := []Login{}
499 login := Login{
500 Type: "email",
501 Value: req.Email,
502 Created: profile.Created,
503 LastUsed: profile.Created,
504 ProfileID: profile.ID,
505 }
506 err = context.AddLogin(login)
507 if err != nil {
508 if err == ErrLoginAlreadyExists {
509 encode(w, r, http.StatusBadRequest, response{Errors: []requestError{{Slug: requestErrConflict, Field: "/email"}}})
510 return
511 }
512 log.Printf("Error adding login: %#+v\n", err)
513 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
514 return
515 }
516 logins = append(logins, login)
517 resp := response{
518 Logins: logins,
519 Profiles: []Profile{profile},
520 }
521 encode(w, r, http.StatusCreated, resp)
522 // TODO(paddy): should we kick off the email validation flow?
523 }
525 func UpdateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
526 errors := []requestError{}
527 vars := mux.Vars(r)
528 if vars["id"] == "" {
529 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
530 encode(w, r, http.StatusBadRequest, response{Errors: errors})
531 return
532 }
533 id, err := uuid.Parse(vars["id"])
534 if err != nil {
535 errors = append(errors, requestError{Slug: requestErrAccessDenied})
536 encode(w, r, http.StatusBadRequest, response{Errors: errors})
537 return
538 }
539 username, password, ok := r.BasicAuth()
540 if !ok {
541 errors = append(errors, requestError{Slug: requestErrAccessDenied})
542 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
543 return
544 }
545 profile, err := authenticate(username, password, context)
546 if err != nil {
547 if isAuthError(err) {
548 errors = append(errors, requestError{Slug: requestErrAccessDenied})
549 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
550 } else {
551 errors = append(errors, requestError{Slug: requestErrActOfGod})
552 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
553 }
554 return
555 }
556 if !profile.ID.Equal(id) {
557 errors = append(errors, requestError{Slug: requestErrAccessDenied})
558 encode(w, r, http.StatusForbidden, response{Errors: errors})
559 return
560 }
561 var req ProfileChange
562 decoder := json.NewDecoder(r.Body)
563 err = decoder.Decode(&req)
564 if err != nil {
565 log.Printf("Error decoding request: %#+v\n", err)
566 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
567 return
568 }
569 req.Iterations = nil
570 req.Salt = nil
571 req.PassphraseScheme = nil
572 req.Compromised = nil // BUG(paddy): Need a way for admins to mark accounts as compromised
573 req.LockedUntil = nil
574 req.LastSeen = nil
575 if req.Passphrase != nil {
576 if len(*req.Passphrase) < MinPassphraseLength {
577 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/passphrase"})
578 encode(w, r, http.StatusBadRequest, response{Errors: errors})
579 return
580 }
581 if len(*req.Passphrase) > MaxPassphraseLength {
582 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/passphrase"})
583 encode(w, r, http.StatusBadRequest, response{Errors: errors})
584 return
585 }
586 iterations := context.config.iterations
587 scheme, ok := passphraseSchemes[CurPassphraseScheme]
588 if !ok {
589 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
590 return
591 }
592 curScheme := CurPassphraseScheme
593 req.PassphraseScheme = &curScheme
594 passphrase, salt, err := scheme.create(*req.Passphrase, iterations)
595 if err != nil {
596 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
597 return
598 }
599 req.Passphrase = &passphrase
600 req.Salt = &salt
601 req.Iterations = &iterations
602 }
603 if req.PassphraseReset != nil {
604 now := time.Now()
605 req.PassphraseResetCreated = &now
606 }
607 err = req.Validate()
608 if err != nil {
609 var status int
610 var resp response
611 switch err {
612 case ErrEmptyChange:
613 resp.Profiles = []Profile{profile}
614 status = http.StatusOK
615 default:
616 errors = append(errors, requestError{Slug: requestErrActOfGod})
617 resp.Errors = errors
618 status = http.StatusInternalServerError
619 }
620 encode(w, r, status, resp)
621 return
622 }
623 err = context.UpdateProfile(id, req)
624 if err != nil {
625 if err == ErrProfileNotFound {
626 errors = append(errors, requestError{Slug: requestErrNotFound})
627 encode(w, r, http.StatusNotFound, response{Errors: errors})
628 return
629 }
630 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
631 return
632 }
633 profile.ApplyChange(req)
634 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
635 return
636 }
638 func DeleteProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {
639 errors := []requestError{}
640 vars := mux.Vars(r)
641 if vars["id"] == "" {
642 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
643 encode(w, r, http.StatusBadRequest, response{Errors: errors})
644 return
645 }
646 id, err := uuid.Parse(vars["id"])
647 if err != nil {
648 errors = append(errors, requestError{Slug: requestErrAccessDenied})
649 encode(w, r, http.StatusBadRequest, response{Errors: errors})
650 return
651 }
652 username, password, ok := r.BasicAuth()
653 if !ok {
654 errors = append(errors, requestError{Slug: requestErrAccessDenied})
655 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
656 return
657 }
658 profile, err := authenticate(username, password, context)
659 if err != nil {
660 if isAuthError(err) {
661 errors = append(errors, requestError{Slug: requestErrAccessDenied})
662 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
663 } else {
664 errors = append(errors, requestError{Slug: requestErrActOfGod})
665 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
666 }
667 return
668 }
669 if !profile.ID.Equal(id) {
670 errors = append(errors, requestError{Slug: requestErrAccessDenied})
671 encode(w, r, http.StatusForbidden, response{Errors: errors})
672 return
673 }
674 err = context.DeleteProfile(id)
675 if err != nil {
676 if err == ErrProfileNotFound {
677 errors = append(errors, requestError{Slug: requestErrNotFound})
678 encode(w, r, http.StatusNotFound, response{Errors: errors})
679 return
680 }
681 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
682 return
683 }
684 encode(w, r, http.StatusOK, response{Profiles: []Profile{profile}})
685 go cleanUpAfterProfileDeletion(profile.ID, context)
686 }